Security

Principal lecturer:Dr Ross AndersonTaken by: Part IINumber of lectures: 12Lecture location: Rayleigh Lecture RoomLecture times: 11:00 on MWF starting 15-Jan-99
This course builds on the 1b `Introduction
to Security' course to give you a solid foundation in contemporary
computer security and cryptology. We look at a number of applications
which need various combinations of confidentiality, availability,
integrity and covertness properties; at the mechanisms which we can
use to incorporate these properties in systems; at how such systems
fail; at how they can be made robust against various kinds of failure;
and at various policy and legal issues.

The course consists of twelve lectures on the following topics. The
notes are available here, as are some of the handouts; unfortunately
some of them aren't for copyright and other reasons.

Lecture
7: Block ciphers. Feistel ciphers including DES. Differential and
linear cryptanalysis. Other styles of block cipher, including SAFER,
Skipjack and IDEA. Modes of operation. Hash functions and their
applications. Supplementary papers: the specification
of DES, and an attack
on 31-round Skipjack.

Lecture
12: Security engineering: what actually goes wrong with real
systems. Threat trees and risk models. Evaluation and accreditation.
Policy and legal issues: civil and criminal evidence rules, the Data
Protection Acts the Computer Misuse Act, export control and key
escrow. Organisational issues; due diligence and the role of
insurance.

Books and other sources

System security is an extremely wide subject, drawing on a great
range of disciplines. Although computer secience is now the central
one, we draw on mathematics, electrical engineering, semiconductor
physics, applied psychology, financial accounting, the criminal
law ... there's never a dull moment.

The best way for you to acquire a feel for what's going on is by wide
reading. The history is fun: for the period up to world war 2, see
Kahn's `The Codebreakers', while details of how codebreakers at
Bletchley Park cracked the Enigma during the war are in Welchman's
`The Hut Six Story' and Hinsley and Stripp's `Codebreakers'.

Textbooks: Ed Amoroso's `Fundamentals of Computer Security
Technology' is a good general introduction, while Dieter Gollmann's
`Computer Security' is very good on the military side of things.
For more specific information on Unix and Internet security, see
Cheswick and Bellovin's `Firewalls and Internet Security' and
Garfinkel and Spafford's `Practical Unix and Internet Security'.

None of the above goes into cryptology in much depth. For that, try
Schneier's `Applied Cryptography' which is quite broad and
includes `C' source code for a lot of algorithms (be sure to get the
second edition). More specialised books are referred to in the
further reading notes at the end of each lecture.

If you are thinking of a career (research or otherwise) which touches
on this subject, I'd encourage you to come to the security
seminars, which are held on most Tuesday afternoons during term,
and the lab's security group meetings at 4pm on Fridays (both in TP4).

Finally, there are many relevant and interesting resources on the web,
from newsgroups such as sci.crypt.research and comp.risks through
hacker and CERT sites to organisations involved in crypto policy and,
of course, researchers'
home pages.